To integrate and automate cloud and on-premises applications, chains leverage Amazon® Web Services (AWS) security and an iPaaS architecture to conform to comprehensive enterprise architecture standards and strict IT security policies. Each layer of the Chain Builder's architecture protects client data and:
- Provides access control to the sensitive systems it interfaces with
- Addresses the requirements of modern architecture
- Is SOC1- and SOC2-compliant
- Often exceeds required cloud certifications
Reference architecture
You securely build chains over the HTTPS (TLS 1.3 or higher) protocol via web- and mobile-enabled devices. Running within the host service is the primary application, an Advanced Encryption Standard (AES)-enabled database that securely houses metadata and a queue to manage communication and task execution on remote CloudRunner and GroundRunner service agents.
In summary, the chain builder's architecture includes:
- The secure browser-based user interface to run and administer integrations.
- The central multi-tenant service hosted in Amazon Web Services (AWS)
- Remote CloudRunner and GroundRunner execution agents to interface with cloud and on-premises applications
GroundRunners and CloudRunners
The execution agents—known as GroundRunners—are hosted on-premises and interface with applications both inside and outside a client network. GroundRunners:
- Have a light resource footprint.
- Support Microsoft Windows®, Linux®, macOS®, and Oracle Solaris® operating systems on physical and virtual computing resources.
- Perform all the required automation and integration tasks, from running a simple operating system command to native application operations such as loading or retrieving data.
To access an on-premises system, you must host a GroundRunner on an operating environment that can access the host service.
If you don't require access to an on-premises system, the default CloudRunner hosted by Workiva executes the integration tasks.
| Deployment Consideration | GroundRunner | CloudRunner |
|---|---|---|
| Installation | Requires installation on a computing environment inside your corporate firewall that can interface with the external host service via port 443. Learn more | None |
| Operating system | Microsoft Windows, Linux, Oracle Solaris, or macOS. The executables run as a service and need to be started under a particular service account with the appropriate privileges to the operating system or other shared resources. | Not applicable |
| Service responsibility | Your organization is responsible to host, manage, and install GroundRunners | The default CloudRunner—provided as part of Chain Builder—is Workiva's responsibility |
| Data flow | With the use of a GroundRunner, your data is not transmitted through the host service | When the CloudRunner interfaces directly with a supported cloud technology, it transmits data through the host service |
| On-premises and cloud integration | Full and seamless integration with both on-premises and cloud applications | Integration only between cloud applications |
| Native use of applications' published APIs | Depending on the on-premises system, connections leverage different application programming interfaces (APIs). For cloud technologies, connections only use published REST APIs that securely transmit data via HTTPS (TLS 1.3). | Connections only use published REST APIs that securely transmit data via HTTPS (TLS 1.3) |
GroundRunners periodically check for new upgrades. When a GroundRunner detects an upgrade, it automatically downloads the new binaries using the stringent secure transport layer. Alternatively, you can download and deploy binaries manually. To prevent man-in-the-middle attacks, new binaries are signed and encrypted.
Network security
Chain Builder is hosted on AWS, and its network operates within a Virtual Private Cloud (VPC). This virtual firewall enables Workiva to control traffic to and from Chain Builder. At a more granular level, Chain Builder's services are hosted within public and private subnets—or isolated blocks of IP addresses—of the VPC. The VPC acts as a DMZ, whereby:
- The public subnets contain services accessed directly via the public Internet via HTTPS requests on a single port (443).
- The private subnets prevent public traffic and host internal services accessed only by services within the VPC.
Data transmission security
To ensure the complete security of data transmission between systems, all traffic to and from Chain Builder is encrypted with the TLS 1.3 protocol using 2048-bit certificates. In addition, communication between internal applications is encrypted to ensure that all transmissions are sent from a legitimate source.
GroundRunners and the CloudRunner support the direct exchange of data, whereby agents can download and exchange files over a communication channel using the same TLS 1.3 protocol in addition to a JSON Web Token (JWT). Each GroundRunner supports direct agent-to-agent data exchange and is configurable to enable or disable this option and control its listening port (by default, 8821).
To create a secure channel, GroundRunners also work with a corporate proxy server directed by your corporate IT to communicate with the host service.
Database layer security
Databases servers are hosted within private subnets. These databases can't be accessed directly from the public Internet; only services within the VPC can connect to them. All connections to databases are password-protected, and only the necessary ports are accessible. To prevent data loss, the databases are highly redundant and distributed across multiple data centers.
Databases are backed up daily. These snapshots are stored in Amazon Simple Storage Service (S3) at an encryption level of AES-256 and across multiple availability zones to ensure an added layer of secure redundancy.
Data and metadata management
To describe and provide information about data, the host service stores this metadata at an encryption level of AES-256:
- Design metadata, such as the configuration of workspaces, chains, and tasks.
- Audit metadata, such as change history for any component, including workspaces, chains, file resources, and schedules.
- Runtime metadata, such as chain and task run history and any logs produced by the server, CloudRunner, or GroundRunners.
The CloudRunner and GroundRunners perform all data transmission and interface directly with:
- The Workiva platform
- Cloud applications such as Anaplan®, Salesforce®, Oracle® EPM Cloud, and Tableau®
- On-premises applications such as Oracle® Hyperion or SQL Server® via their native APIs
A chain may include a task that produces an ephemeral staging flat file known as an output.
- If the CloudRunner generates the output, it is stored at an encryption level of AES-256 on an AWS Elastic File System (EFS) volume.
- If a GroundRunner generates the output, it is ephemerally stored on the file system of the host, which determines the encryption level.
Workflow attachments are ephemeral and disappear after the workflow completes. To preserve a file associated with a workflow, save it to an on-premises file system or a cloud drive such as Google® Drive or BOX®.
Sensitive files—such as resources uploaded for a workspace or connector—are encrypted via HashiCorp Vault Transit encryption and stored encrypted in Amazon Simple Storage Service (S3). Sensitive text fields—such as authentication credentials entered as a connector property—are stored as encrypted HashiCorp Vault Secrets in Amazon DynamoDB®. To store the master key, both Vault Transit and Vault Secrets/KV Store use awskms seal.